[syzbot] [bpf?] KMSAN: uninit-value in bpf_prog_test_run_skb
26 views
Skip to first unread message
syzbot
Dec 31, 2025, 1:02:26 AM12/31/25
to and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, edd...@gmail.com, hao...@google.com, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, linux-...@vger.kernel.org, marti...@linux.dev, s...@fomichev.me, so...@kernel.org, syzkall...@googlegroups.com, yongho...@linux.dev
Hello,
syzbot found the following issue on:
HEAD commit: 3f0e9c8cefa9 Merge tag 'block-6.19-20251226' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14d784fc580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b3903bdf68407a14
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=151f1b92580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=144f5022580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7f2d5650d243/disk-3f0e9c8c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/069034860f2d/vmlinux-3f0e9c8c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/90d1c240dc1b/bzImage-3f0e9c8c.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+619b9e...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
pskb_expand_head+0x310/0x15d0 net/core/skbuff.c:2290
__skb_cow include/linux/skbuff.h:3853 [inline]
skb_cow_head include/linux/skbuff.h:3887 [inline]
bpf_skb_net_grow net/core/filter.c:3511 [inline]
____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
__bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
skb_data_move+0x424/0x570 include/linux/skbuff.h:-1
skb_postpush_data_move include/linux/skbuff.h:4639 [inline]
bpf_skb_generic_push net/core/filter.c:3267 [inline]
bpf_skb_net_hdr_push net/core/filter.c:3305 [inline]
bpf_skb_net_grow net/core/filter.c:3542 [inline]
____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
bpf_skb_adjust_room+0x116c/0x3310 net/core/filter.c:3699
___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
__bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4960 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
pskb_expand_head+0x1fc/0x15d0 net/core/skbuff.c:2282
__skb_cow include/linux/skbuff.h:3853 [inline]
skb_cow_head include/linux/skbuff.h:3887 [inline]
bpf_skb_net_grow net/core/filter.c:3511 [inline]
____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
__bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 1 UID: 0 PID: 6072 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 3f0e9c8cefa9 Merge tag 'block-6.19-20251226' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14d784fc580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b3903bdf68407a14
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=151f1b92580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=144f5022580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7f2d5650d243/disk-3f0e9c8c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/069034860f2d/vmlinux-3f0e9c8c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/90d1c240dc1b/bzImage-3f0e9c8c.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+619b9e...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
pskb_expand_head+0x310/0x15d0 net/core/skbuff.c:2290
__skb_cow include/linux/skbuff.h:3853 [inline]
skb_cow_head include/linux/skbuff.h:3887 [inline]
bpf_skb_net_grow net/core/filter.c:3511 [inline]
____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
__bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
skb_data_move+0x424/0x570 include/linux/skbuff.h:-1
skb_postpush_data_move include/linux/skbuff.h:4639 [inline]
bpf_skb_generic_push net/core/filter.c:3267 [inline]
bpf_skb_net_hdr_push net/core/filter.c:3305 [inline]
bpf_skb_net_grow net/core/filter.c:3542 [inline]
____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
bpf_skb_adjust_room+0x116c/0x3310 net/core/filter.c:3699
___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
__bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4960 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
pskb_expand_head+0x1fc/0x15d0 net/core/skbuff.c:2282
__skb_cow include/linux/skbuff.h:3853 [inline]
skb_cow_head include/linux/skbuff.h:3887 [inline]
bpf_skb_net_grow net/core/filter.c:3511 [inline]
____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
__bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 1 UID: 0 PID: 6072 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jan 1, 2026, 9:20:07 PM (13 days ago) Jan 1
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When pskb_expand_head() allocates a new buffer with additional headroom
(nhead), the newly allocated headroom region is not initialized. This
uninitialized memory can later be accessed when BPF programs use
bpf_skb_adjust_room() to push headers into this space.
The call chain is:
bpf_skb_adjust_room()
-> bpf_skb_net_grow()
-> skb_cow_head()
-> pskb_expand_head() // allocates uninit headroom
-> bpf_skb_net_hdr_push()
-> bpf_skb_generic_push()
-> skb_postpush_data_move()
-> skb_data_move() // moves uninit memory
Fix this by zeroing the new headroom region immediately after allocation
in pskb_expand_head().
Reported-by: syzbot+619b9e...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
net/core/skbuff.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a00808f7be6a..875572a27e58 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2283,6 +2283,7 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
if (!data)
goto nodata;
size = SKB_WITH_OVERHEAD(size);
+ memset(data, 0, nhead);
/* Copy only real data... and, alas, header. This should be
* optimized for the cases when header is void.
--
2.43.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When pskb_expand_head() allocates a new buffer with additional headroom
(nhead), the newly allocated headroom region is not initialized. This
uninitialized memory can later be accessed when BPF programs use
bpf_skb_adjust_room() to push headers into this space.
The call chain is:
bpf_skb_adjust_room()
-> bpf_skb_net_grow()
-> skb_cow_head()
-> pskb_expand_head() // allocates uninit headroom
-> bpf_skb_net_hdr_push()
-> bpf_skb_generic_push()
-> skb_postpush_data_move()
-> skb_data_move() // moves uninit memory
Fix this by zeroing the new headroom region immediately after allocation
in pskb_expand_head().
Reported-by: syzbot+619b9e...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
net/core/skbuff.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a00808f7be6a..875572a27e58 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2283,6 +2283,7 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
if (!data)
goto nodata;
size = SKB_WITH_OVERHEAD(size);
+ memset(data, 0, nhead);
/* Copy only real data... and, alas, header. This should be
* optimized for the cases when header is void.
--
2.43.0
syzbot
Jan 1, 2026, 9:45:04 PM (13 days ago) Jan 1
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in bpf_prog_test_run_skb
=====================================================
BUG: KMSAN: uninit-value in bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
pskb_expand_head+0x324/0x15d0 net/core/skbuff.c:2291
pskb_expand_head+0x20a/0x15d0 net/core/skbuff.c:2282
commit: b69053dd wifi: mt76: Remove blank line after mt792x fi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10ab2a9a580000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in bpf_prog_test_run_skb
=====================================================
BUG: KMSAN: uninit-value in bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
__skb_cow include/linux/skbuff.h:3853 [inline]
skb_cow_head include/linux/skbuff.h:3887 [inline]
bpf_skb_net_grow net/core/filter.c:3511 [inline]
____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
__bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 0 UID: 0 PID: 6566 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
skb_cow_head include/linux/skbuff.h:3887 [inline]
bpf_skb_net_grow net/core/filter.c:3511 [inline]
____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
__bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================
Tested on:
=====================================================
commit: b69053dd wifi: mt76: Remove blank line after mt792x fi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10ab2a9a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b3903bdf68407a14
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=15863fb4580000
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syzbot
Jan 3, 2026, 9:01:56 PM (11 days ago) Jan 3
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When pskb_expand_head() allocates a new buffer with additional headroom,
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
both the new headroom (nhead bytes) and the old headroom copied from the
original buffer contain uninitialized memory. This can be accessed when
BPF programs use bpf_skb_adjust_room() to push headers into this space.
The call chain is:
bpf_skb_adjust_room()
-> bpf_skb_net_grow()
-> skb_cow_head()
-> pskb_expand_head() // allocates and copies uninit headroom
The call chain is:
bpf_skb_adjust_room()
-> bpf_skb_net_grow()
-> skb_cow_head()
-> bpf_skb_net_hdr_push()
-> bpf_skb_generic_push()
-> skb_postpush_data_move()
-> skb_data_move() // moves uninit memory
Fix this by zeroing both the new headroom and the copied old headroom
-> bpf_skb_generic_push()
-> skb_postpush_data_move()
-> skb_data_move() // moves uninit memory
after the memcpy in pskb_expand_head().
Reported-by: syzbot+619b9e...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
net/core/skbuff.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2288,6 +2288,7 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
* optimized for the cases when header is void.
*/
memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head);
+ memset(data, 0, nhead + skb_headroom(skb));
memcpy((struct skb_shared_info *)(data + size),
skb_shinfo(skb),
--
2.43.0
syzbot
Jan 3, 2026, 9:26:05 PM (11 days ago) Jan 3
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in bpf_prog_test_run_skb
=====================================================
BUG: KMSAN: uninit-value in bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
pskb_expand_head+0x31a/0x15f0 net/core/skbuff.c:2290
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in bpf_prog_test_run_skb
=====================================================
BUG: KMSAN: uninit-value in bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
__skb_cow include/linux/skbuff.h:3853 [inline]
skb_cow_head include/linux/skbuff.h:3887 [inline]
bpf_skb_net_grow net/core/filter.c:3511 [inline]
____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
__bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 0 UID: 0 PID: 6585 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
skb_cow_head include/linux/skbuff.h:3887 [inline]
bpf_skb_net_grow net/core/filter.c:3511 [inline]
____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
__bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================
Tested on:
commit: aacb0a6d Merge tag 'pmdomain-v6.19-rc3' of git://git.k..
=====================================================
Tested on:
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16e50074580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b3903bdf68407a14
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1231369a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syzbot
Jan 3, 2026, 10:48:39 PM (10 days ago) Jan 3
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When pskb_expand_head() allocates a new buffer with additional headroom,
the memcpy copies the entire old buffer including the old headroom which
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When pskb_expand_head() allocates a new buffer with additional headroom,
contains uninitialized memory. KMSAN detects this when the garbage data
is copied, triggering uninit-value warnings.
The call chain is:
bpf_skb_adjust_room()
-> bpf_skb_net_grow()
-> skb_cow_head()
-> bpf_skb_net_hdr_push()
-> bpf_skb_generic_push()
-> skb_postpush_data_move()
-> skb_data_move() // moves uninit memory
Fix this by:
-> bpf_skb_generic_push()
-> skb_postpush_data_move()
-> skb_data_move() // moves uninit memory
1. Zeroing the entire headroom region (new nhead + old headroom)
2. Copying only the actual packet data (from skb->data to skb->tail)
instead of copying from skb->head which includes garbage headroom
This ensures no uninitialized memory is ever copied while maintaining
the same buffer layout with packet data in the correct location.
Reported-by: syzbot+619b9e...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a00808f7be6a..ce3e335e4729 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2284,10 +2284,12 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
goto nodata;
size = SKB_WITH_OVERHEAD(size);
- /* Copy only real data... and, alas, header. This should be
size = SKB_WITH_OVERHEAD(size);
- * optimized for the cases when header is void.
+ /* Zero the headroom to avoid copying uninit memory.
+ * Then copy only the actual packet data.
*/
- memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head);
+ memset(data, 0, nhead + skb_headroom(skb));
+ memcpy(data + nhead + skb_headroom(skb), skb->data,
+ skb_tail_pointer(skb) - skb->data);
syzbot
Jan 3, 2026, 10:58:44 PM (10 days ago) Jan 3
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
pskb_expand_head() copies the entire old buffer starting from skb->head,
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
which includes the old headroom region that may contain uninitialized
memory. KMSAN detects this during the copy and when the data is later
moved by BPF's skb_data_move().
The call chain triggering the warning is:
bpf_skb_adjust_room()
-> bpf_skb_net_grow()
-> skb_cow_head()
-> pskb_expand_head() // copies uninit old headroom
-> bpf_skb_net_hdr_push()
-> bpf_skb_generic_push()
-> skb_postpush_data_move()
-> skb_data_move() // moves uninit memory
Fix this by pre-initializing the entire new headroom region (nhead +
-> bpf_skb_net_grow()
-> skb_cow_head()
-> pskb_expand_head() // copies uninit old headroom
-> bpf_skb_net_hdr_push()
-> bpf_skb_generic_push()
-> skb_postpush_data_move()
-> skb_data_move() // moves uninit memory
old headroom) in the new buffer before copying. This ensures the
destination bytes corresponding to headroom are defined and zero,
while keeping the original linear layout intact. The memcpy still
copies from skb->head to preserve the relative offset (skb->data -
skb->head) and all header offsets (mac_header, network_header,
transport_header) in the new buffer.
Reported-by: syzbot+619b9e...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a00808f7be6a..7e493904d47a 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2284,9 +2284,10 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
goto nodata;
size = SKB_WITH_OVERHEAD(size);
- /* Copy only real data... and, alas, header. This should be
- * optimized for the cases when header is void.
+ /* Zero new and old headroom in the new buffer, then copy
size = SKB_WITH_OVERHEAD(size);
- /* Copy only real data... and, alas, header. This should be
- * optimized for the cases when header is void.
+ * original contents to preserve layout and header offsets.
*/
+ memset(data, 0, nhead + skb_headroom(skb));
memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head);
memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head);
memcpy((struct skb_shared_info *)(data + size),
--
2.43.0
syzbot
Jan 4, 2026, 12:21:04 AM (10 days ago) Jan 4
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in bpf_prog_test_run_skb
=====================================================
BUG: KMSAN: uninit-value in bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
pskb_expand_head+0x3b1/0x16b0 net/core/skbuff.c:2291
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in bpf_prog_test_run_skb
=====================================================
BUG: KMSAN: uninit-value in bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
__skb_cow include/linux/skbuff.h:3853 [inline]
skb_cow_head include/linux/skbuff.h:3887 [inline]
bpf_skb_net_grow net/core/filter.c:3511 [inline]
____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
__bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 0 UID: 0 PID: 6518 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
skb_cow_head include/linux/skbuff.h:3887 [inline]
bpf_skb_net_grow net/core/filter.c:3511 [inline]
____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
__bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================
Tested on:
commit: aacb0a6d Merge tag 'pmdomain-v6.19-rc3' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1682169a580000
=====================================================
Tested on:
commit: aacb0a6d Merge tag 'pmdomain-v6.19-rc3' of git://git.k..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=b3903bdf68407a14
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1109da9a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syzbot
Jan 4, 2026, 1:12:05 AM (10 days ago) Jan 4
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in bpf_prog_test_run_skb
=====================================================
BUG: KMSAN: uninit-value in bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
pskb_expand_head+0x35a/0x1610 net/core/skbuff.c:2291
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in bpf_prog_test_run_skb
=====================================================
BUG: KMSAN: uninit-value in bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run_skb+0x3091/0x3200 net/bpf/test_run.c:-1
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
__skb_cow include/linux/skbuff.h:3853 [inline]
skb_cow_head include/linux/skbuff.h:3887 [inline]
bpf_skb_net_grow net/core/filter.c:3511 [inline]
____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
__bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 1 UID: 0 PID: 6582 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
skb_cow_head include/linux/skbuff.h:3887 [inline]
bpf_skb_net_grow net/core/filter.c:3511 [inline]
____bpf_skb_adjust_room net/core/filter.c:3754 [inline]
bpf_skb_adjust_room+0x103c/0x3310 net/core/filter.c:3699
___bpf_prog_run+0x1297/0xeba0 kernel/bpf/core.c:2037
__bpf_prog_run512+0xc5/0x100 kernel/bpf/core.c:2333
bpf_dispatcher_nop_func include/linux/bpf.h:1378 [inline]
__bpf_prog_run include/linux/filter.h:723 [inline]
bpf_prog_run include/linux/filter.h:730 [inline]
bpf_test_run+0x496/0xe00 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0x2377/0x3200 net/bpf/test_run.c:1158
bpf_prog_test_run+0x5bb/0x9f0 kernel/bpf/syscall.c:4703
__sys_bpf+0x873/0xeb0 kernel/bpf/syscall.c:6182
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:6272
x64_sys_call+0x31c3/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================
Tested on:
commit: aacb0a6d Merge tag 'pmdomain-v6.19-rc3' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=121b369a580000
=====================================================
Tested on:
commit: aacb0a6d Merge tag 'pmdomain-v6.19-rc3' of git://git.k..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=b3903bdf68407a14
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=152c6e22580000
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
sq yu
Jan 13, 2026, 3:50:33 AM (yesterday) Jan 13
to syzkaller-bugs
I'm working on this bug.
I'll investigate the uninit-value propagation in pskb_expand_head during BPF test runs.
I'll investigate the uninit-value propagation in pskb_expand_head during BPF test runs.
Soham Metha
7:16 AM (3 hours ago) 7:16 AM
to syzbot+619b9e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Soham Metha
pskb_expand_head() allocates a new skb data buffer using
kmalloc_reserve(), which does not initialize memory. skb helpers may
later copy or move padding bytes from the buffer.
Initialize the newly allocated skb buffer to avoid propagating
uninitialized memory.
Reported-by: syzbot+619b9e...@syzkaller.appspotmail.com
Signed-off-by: Soham Metha <sohamm...@gmail.com>
---
#syz test
net/core/skbuff.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a56133902c0d..b658dcbe0698 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2280,6 +2280,7 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
gfp_mask |= __GFP_MEMALLOC;
data = kmalloc_reserve(&size, gfp_mask, NUMA_NO_NODE, NULL);
if (!data)
goto nodata;
+ memset(data, 0, size);
size = SKB_WITH_OVERHEAD(size);
--
2.34.1
kmalloc_reserve(), which does not initialize memory. skb helpers may
later copy or move padding bytes from the buffer.
Initialize the newly allocated skb buffer to avoid propagating
uninitialized memory.
Reported-by: syzbot+619b9e...@syzkaller.appspotmail.com
Signed-off-by: Soham Metha <sohamm...@gmail.com>
---
#syz test
net/core/skbuff.c | 1 +
1 file changed, 1 insertion(+)
index a56133902c0d..b658dcbe0698 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2280,6 +2280,7 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
gfp_mask |= __GFP_MEMALLOC;
data = kmalloc_reserve(&size, gfp_mask, NUMA_NO_NODE, NULL);
if (!data)
goto nodata;
+ memset(data, 0, size);
size = SKB_WITH_OVERHEAD(size);
--
2.34.1
syzbot
7:17 AM (3 hours ago) 7:17 AM
to linux-...@vger.kernel.org, sohamm...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/core/skbuff.c
Hunk #1 FAILED at 2280.
1 out of 1 hunk FAILED
Tested on:
commit: c537e12d Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree: upstream
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/core/skbuff.c
Hunk #1 FAILED at 2280.
1 out of 1 hunk FAILED
Tested on:
commit: c537e12d Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=b3903bdf68407a14
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=12d3a5fc580000
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler:
Soham Metha
7:33 AM (3 hours ago) 7:33 AM
to syzbot+619b9e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Soham Metha
pskb_expand_head() allocates a new skb data buffer using
kmalloc_reserve(), which does not initialize memory. skb helpers may
later copy or move padding bytes from the buffer.
Initialize the newly allocated skb buffer to avoid propagating
uninitialized memory.
Reported-by: syzbot+619b9e...@syzkaller.appspotmail.com
Signed-off-by: Soham Metha <sohamm...@gmail.com>
---
#syz test
net/core/skbuff.c | 3 +++
kmalloc_reserve(), which does not initialize memory. skb helpers may
later copy or move padding bytes from the buffer.
Initialize the newly allocated skb buffer to avoid propagating
uninitialized memory.
Reported-by: syzbot+619b9e...@syzkaller.appspotmail.com
Signed-off-by: Soham Metha <sohamm...@gmail.com>
---
#syz test
1 file changed, 3 insertions(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a56133902c0d..b0f0d3a0310b 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2282,6 +2282,9 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
data = kmalloc_reserve(&size, gfp_mask, NUMA_NO_NODE, NULL);
if (!data)
goto nodata;
+
+ memset(data, 0, size);
if (!data)
goto nodata;
+
+
size = SKB_WITH_OVERHEAD(size);
/* Copy only real data... and, alas, header. This should be
2.34.1
syzbot
8:44 AM (1 hour ago) 8:44 AM
to linux-...@vger.kernel.org, sohamm...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+619b9e...@syzkaller.appspotmail.com
Tested-by: syzbot+619b9e...@syzkaller.appspotmail.com
console output: https://syzkaller.appspot.com/x/log.txt?x=118fd92a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=46b5f80a6e7aaa5c
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+619b9e...@syzkaller.appspotmail.com
Tested-by: syzbot+619b9e...@syzkaller.appspotmail.com
console output: https://syzkaller.appspot.com/x/log.txt?x=118fd92a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=46b5f80a6e7aaa5c
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=16f4b2ef980000
Note: testing is done by a robot and is best-effort only.
Soham Metha
8:57 AM (1 hour ago) 8:57 AM
to linux-kern...@lists.linuxfoundation.org, sh...@kernel.org, syzbot+619b9e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, edd...@gmail.com, hao...@google.com, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, linux-...@vger.kernel.org, marti...@linux.dev, s...@fomichev.me, so...@kernel.org, yongho...@linux.dev, Soham Metha
syzbot
10:06 AM (1 minute ago) 10:06 AM
to and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, edd...@gmail.com, hao...@google.com, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, linux-kern...@lists.linuxfoundation.org, linux-...@vger.kernel.org, marti...@linux.dev, s...@fomichev.me, sh...@kernel.org, sohamm...@gmail.com, so...@kernel.org, syzkall...@googlegroups.com, yongho...@linux.dev
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+619b9e...@syzkaller.appspotmail.com
Tested-by: syzbot+619b9e...@syzkaller.appspotmail.com
Tested on:
commit: c537e12d Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12188522580000
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+619b9e...@syzkaller.appspotmail.com
Tested-by: syzbot+619b9e...@syzkaller.appspotmail.com
Tested on:
commit: c537e12d Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=46b5f80a6e7aaa5c
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=15f21d9a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Reply all
Reply to author
Forward
0 new messages